In 2000, the U.S. Congress passed the Electronic Signatures in Global and National Commerce Act, recognizing electronic signatures as legally binding under certain specified conditions.
To hold up in court, an electronic or digital signature must have:
- A seal or digital certificate that can verify its origins or reference a key held by a third-party guarantor
- A sufficient audit trail leading back to the signatory parties
- Evidence of identity authentication methods used to verify signatory identities
Despite being legally recognized more than 20 years ago, electronic signature adoption remained scant until the shift to remote work during temporary COVID-19 restrictions in 2020. As of Q4 of 2021, 95% of companies reported that they had either adopted electronic signatures or had plans to do so soon. Among companies that have already implemented electronic signatures, two-thirds adopted them within the last two years.
Although wide-scale adoption of electronic signatures began as a temporary adaptation, the practice has demonstrated significant operational benefits.
- Using electronic signatures can reduce the document processing time by 45%
- Among electronic signature users, 54% report faster sales cycles
- A majority of clients – 69% – prefer to use electronic signatures to sign forms online and consider them more secure
Security Concerns and Different Kinds of Electronic Signatures
Although people tend to use the terms interchangeably, electronic and digital signatures are not the same thing. Rather, digital signatures are a specialized kind of encryption-enabled electronic signature.
Electronic Signatures
According to U.S. law, electronic signatures may consist of any electronic symbol – text or otherwise – process, or sound contained in a document that expresses intent to sign. For most legal purposes, a record of intent tied to the electronic signature suffices to make the signatures legally binding.
Digital Signatures
Digital Signatures – also known as digital certificates for electronic signatures or public key certificates – work more like fingerprints. Digital signatures are a kind of encryption technology that signatory parties can apply to electronic signatures to establish the contents of the document and the identities of the signers. Digital certificates for electronic signatures employ an encryption format called public key infrastructure (PKI).
PKI works by encoding a record of the signing parties, the contents of the document, as well as the time and place of signing. Functionally, PKI is a cryptographic solution to the intractable communications problem of communicating securely over a public network.
PKI-enabled digital certificates involve three parties:
- The sender
- The recipient
- A registration authority – a third-party company that specializes in issuing and certifying encryption keys
To create a digital certificate for an electronic signature, the sender – also the signatory party – submits a request to the registration authority. When the registration authority approves the request, they issue the sender a private encryption key and send a public encryption key to the recipient. The recipient confirms the decrypted key, thereby validating the digital certificate. With all three parties in possession of a key, the registration authority can provide legal testimony in the event one party contests that subsequent changes have been made to the signed document.
Security Best Practices for Electronic Signatures
Electronic signature services offer varying degrees of information security. When evaluating the security credibility of third-party services, you should ask yourself the following questions:
- Does the signature carry a digital certificate?
- What are the security credentials of the registration authority and the signature service provider?
- What are your organization’s protocols for issuing electronic signatures? Is there oversight? Do all signatories use the same services?
Digital certificates provide the highest-grade security for verifying a document’s contents and signatures in a legal context. Although other forms of electronic signatures are legally binding, the PKI format establishes the clearest and most undeniable audit trail and proof of effort to verify identities.
Assessing third-party security standards is challenging. In the last 18 months, 79% of SaaS providers have experienced a cloud data breach, nearly all of which originated with human error or malicious insider activity. Naturally, this is what data vendors won’t pitch to you.
To make an informed assessment, you need a reference standard. For infosec, that standard is the Service Organization Control (SOC) credentials issued by the American Institute of Certified Public Accountants (AICPA). These credentials certify that the organization in question has allowed continued monitoring of its internal security protocols for a year. For organizations that handle sensitive personal or financial information, the gold standard for high-grade internal infosec is the SOC 2 Type 2 certification.
FileInvite’s E-Signatures Check the Boxes
FileInvite provides a secure file-sharing platform for sending and receiving electronically signed documents. FileInvite also offers end-to-end 256-bit encryption for all data in transit and at rest and maintains SOC 2 Type 2 compliance.
To learn more and request a demo, visit FileInvite today.
Related Posts: